Security Updates - 2009/2010
Best Practice / Research updates
- NIST has published a draft revision of an important risk management framework which guides the implementation and compliance approaches with FISMA. In my opinion this strengthens the guidance and makes it easier to implement - NIST's SP 800-37 Rev. 1 - DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. The draft was open for comment until the end of December, so look for a release sometime in January.
- ISACA has published two new sets of documents for members, updated guideline on implementing and improving IT governance, and a new framework and practitioner tool-set for identifying and managing IT risks. In my opinion the RiskIT material provides a great high-level explanation of the IT risks management principals and provides and excellent set of tools for identifying and measuring risks as part of an assessment. If you have IT Risk management responsibilities and aren't a member of ISACA it's time to sign up!
There are tons of new updates to tools, in fact too many to list them all here - if your job requires finding and using open-source and commercial tools your box just got a lot bigger.
PacketStorm Security has a bunch of updates to open-source tools recently, too many to list but notables include;
- wafp - web application finger printing
- hostmap - for mining DNS information
- wapati - new web application vulnerability scanner
- scapy - update to a great packet manipulator
- metasploit! - after the Rapid7 acquisition lots of development happening here...